What are the differences among policies, standards, procedures and technical controls?
Policies are long-term, high-level management instructions on how the organization is to be run and generally are driven by legal concerns (due diligence). Policies reflect an organization's goals, objectives, culture and are intended for broad audiences. They also are mandatory and are applicable to anyone -- employee, contractor, temporary, etc. Special approval if the policy is not to be followed (an exception) should be documented. (Yes, a policy for exceptions is necessary!). Policies drive standards, procedures and technical controls. Example: Passwords will be used.
Standards define the process or rules to be used to support the policy such as system-design models or specific software or methodologies. Standards can be directed to a broad audience or limited to specific groups or individuals (i.e., software developers), are of limited duration and reflect organizational change or environmental changes. Like policies, standards are mandatory and require special approval if the standard is not to be followed. Example: Passwords will be constructed of 6-8 alpha-numeric characters.
Procedures are specific instructions (ordered tasks) for performing some function or action. Procedures are of a somewhat short duration, are mandatory and they reflect organizational change or environmental changes. Example: To change your password, type your old password, then a front slash and then your new password.
Technical controls are mechanisms used to regulate the operations to meet policy requirements (countermeasures). Technical controls can be volitile particularly in the distributed environment when hackers are gracious enough to find holes in technology and point them out to the user community!
This was first published in February 2001